This policy provides an explanation as to what happens to any personal data that you share with us, or that we collect from you either directly via this Website or via email.
Certain businesses are required under the data protection act to have a data controller. For the purpose of the Data Protection Act 1998 our Data Controller can be contacted via email at email@example.com.
1. Information we collect
In operating our Website we may collect and process the following data about you:
1.1 Details of your visits to our Website and the resources that you access including, but not limited to, traffic data, location data, web log statistics and other communication data.
1.2 Information that you provide by filling in forms on our Website, such as when you register to receive information such as a newsletter or contact us via the contact us page.
1.3 Information provided to us when you communicate with us for any reason.
On occasion, we may gather information about your computer for our services, and to provide statistical information regarding the use of our Website.
Such information will not identify you personally, it is statistical data about our visitors and their use of our Website. This statistical data does not identify any personal details whatsoever. It is used by us to analyse how visitors interact with the Website so that we can continue to develop and improve this Website.
We may gather information about your general Internet use by using a cookie file that is downloaded to your computer. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer as cookies contain information that is transferred to your computer’s hard drive. They help us to improve our Website and the service that we provide to you.
All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular areas of our Website.
3. Use of your information.
The information that we collect and store relating to you is primarily used to enable us to provide our services to you. In addition, we may use the information for the following purposes:
3.1 To provide you with information requested from us relating to our services and to provide information on other services which we feel may be of interest to you if you have consented to receive such information.
3.2 To meet our contractual commitments in delivery of our services to you.
3.3 To notify you about any changes to our Website, such as improvements or service/product changes, that may affect our service.
3.4 If you are an existing patient, we may contact you with information about services similar to those which you previously used.
3.6 If you are a new customer, we will only contact you when you have provided consent and only by those means you provided consent for.
3.7 If you do not want us to use your data for ourselves you will have the opportunity to withhold your consent to this when you provide your details to us on the form on which we collect your data.
4. Storing your personal data
4.1 We use a third-party healthcare platform called Signal in order to securely store your patient information. This includes personal data (e.g. date of birth and address), test results and letters of correspondence. When we transfer your data to Signal, it is only over an encrypted connection. Your data is stored in an encrypted database, and only authorised members of Imperial Reproductive Endocrinology staff have access to it over an encrypted VPN connection.
4.2 While we use bank-grade SSL encryption on our website to encrypt all communications between your device and our servers, the transmission of information via the internet is not completely secure and therefore we cannot guarantee the security of data sent to us electronically and the transmission of such data is entirely at your own risk. Where we have given you (or where you have chosen) a password so that you can access certain areas of our site, you are responsible for keeping this password confidential.
5. GDPR compliance summary
We are committed to ensuring the very highest levels of data protection for our patients. As such, we employ highly-skilled IT professionals to help us achieve this. We use bank-grade encryption and best-practices extensively throughout our business.
Furthermore, the GDPR regulations require us to explain why we collect patient data and what it is used for. Below is a summary of the key points you need to know before you send your data to us for processing and storage.
Identity and contact details of the controller and the data protection officer: Please email us (firstname.lastname@example.org).
Purpose of the processing and the legal basis for the processing: Our lawful basis is one of contract. We need to store and process your personal data (for example, your date of birth, name, and test results) in order to fulfil our contractual obligations to you in delivering a service that you have requested and paid us to perform (e.g. a consultation or surgery). We cannot fulfil our contractual obligations to you without being able to store and process your personal data to understand your medical needs.
Special categories of personal data: we collect and store data relating to our patients’ racial or ethnic origin and health. Due to our medical speciality, we may also collect and store data on our our patients’ sex life. Processing of this data is necessary for the purposes of carrying out our contractual obligations to deliver our medical services: racial, health and sexual data is required in order for us to ensure the highest standards of quality and safety of health care.
Any recipient or categories of recipients of the personal data: only employees of Imperial Reproductive Endocrinology, such as secretaries and doctors are able to process the personal data. This is controlled by secure login to Signal (our healthcare platform). For security, employees are issued with computer-generated passwords that are long and complex (e.g. TV^!S$jJHZ&5gpI6Mo3C)
Details of transfers to third country and safeguards: all our patient data is retained in encrypted form on UK servers. No transfers are made to third parties or to third countries.
Retention period or criteria used to determine the retention period: in accordance with UK law, we keep patient data for 7 years from the date of last appointment in order to be able to provide followup appointments. Additionally, if you choose to transfer to another healthcare provider, our retention period allows us to (with your consent) transfer our patient data (including medical details of services we have performed) to them.
The existence of each data subject’s rights: you have specified rights under the GDPR legislation. These are:
- a right of access to a copy of the information comprised in your personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to claim compensation for damages caused by a breach of the Act.
Please contact us to exercise any of these rights.
The right to withdraw consent at any time: if we have not provided medical services (and so are not required to maintain medical records for 7 years from the last date of service), you may withdraw consent to us storing your information. We will delete your information and notify you of this. Please be aware that we can no longer provide medical services if this consent is withdrawn, and will require you to provide consent again if you require medical services.
The right to lodge a complaint with a supervisory authority: you have the right to complain to the ICO.
Whether the provision of personal data is part of a statutory or contractual requirement or obligation, and the possible consequences of failing to provide the personal data : We need to store and process your personal data (for example, your date of birth, name, and test results) in order to fulfil our contractual obligations to you in delivering a service that you have requested and paid us to perform (e.g. a consultation or surgery). We cannot fulfil our contractual obligations to you without being able to store and process your personal data to understand your medical needs. The consequences of failing to provide the personal data are that we cannot treat you as a patient.
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences: we frequently analyse anonymised patient data to better understand the success of our treatments. For example, we may want to look at continence rates broken down by the grade of prostate cancer to understand how we can improve treatment for patients with a high grade (aggressiveness) of prostate cancer. We do not believe these actions have significant consequences for our patient data as they are anonymised and patient data cannot be derived from them.
6. Disclosing your information
6.1 Where applicable, we may disclose your personal information to any member of our group. This includes, where applicable, our subsidiaries, our holding company and its other subsidiaries.
6.2 We may also disclose your personal information to third parties:
6.2.1 Where we sell any or all of our business and/or our assets to a third party.
6.2.2 Where we are legally required to disclose your information.
6.2.2 To assist fraud protection and minimise credit risk.
7. Third party links
You will find links to third party websites on our Website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
8. Access to information
The Data Protection Act 1998 gives you the right to access the information that we hold about you. Please note that any demand for access may be subject to payment of a fee of £10 which covers our costs in providing you with the information requested. Should you wish to receive details that we hold about you please contact us using the contact details below.
9. Contacting us
We welcome any queries, comments or requests you may have regarding this policy. Please do not hesitate to contact us at email@example.com .